[ale] Running an IPv6 network: DNS
Greg Freemyer
greg.freemyer at gmail.com
Fri Jan 21 12:04:00 EST 2011
At the end of last night, my thought is maybe we need a ale-ipv6 list.
It was a bit overwhelming and clearly there is lots to talk about, but
I'm not sure the main list needs the traffic?
I'd join both, so I'm find with it hitting here as well.
Greg
On Fri, Jan 21, 2011 at 11:25 AM, Michael B. Trausch <mike at trausch.us> wrote:
> One thing that I did not think to ask about last night: DNS on IPv6
> networks. I expect that this is a topic that by itself could be a
> presentation, because there are many, many issues involved with it.
>
> For starters: What is the preferred dæmon for use with IPv6? I know
> that my personal favorite (djbdns) does not support anything having to
> do with IPv6 unless you fetch some patches from the Internet, and those
> patches are less than stellar in terms of their usability and
> robustness, so really the solution for djbdns is to either continue
> patching it up, or scrap it entirely. Because I have less than no time
> on my hands, that's not really an option for me. I know that ISC BIND
> supports IPv6 (both records and connections), but it has such an awful
> past when it comes to security that I am hesitant to allow it on my
> network. However, it supports other features that are useful (DNSSEC,
> various forms of dynamic updates, and so forth), so... should I start
> using that again?
>
> There are a few other issues that I can think of:
>
> * For an IPv4 network, it is conventional (and expected) to provide
> reverse lookups for all addresses. But in order to do this in an
> IPv6 network would be impractical: the definitions for a single /64
> alone would require 1,180,591,620,717,411,303,424 bits
> (147,573,952,589,676,412,928 _bytes_, or exactly 128 EiB) of storage
> (and that's before even considering the storage for the names). So,
> it seems that reverse lookups would have to be provided only for
> known systems, and for the rest, the DNS server should be able to
> apply a template of some sort. Does BIND (or any other freely
> available DNS software, for that matter) support this ability?
>
> * Likewise, generic names are expected for addresses that aren't used
> for static things. So some sort of template-driven, fallback name
> should be available for hosts that aren't explicitly defined in the
> zone, just like with reverse lookups.
>
> * How in the world would such a thing be replicated to slave DNS
> servers? I do not believe that there is any sort of method to
> replicate anything but actual records in zone transfers and the like.
>
> Another, related issue that has to do with something that was brought up
> last night: sequential numbering of IP addresses within an IPv6 network.
> I can understand precisely why sequential number is a bad thing from a
> network scanning perspective, but one of the major reasons to number
> sequentially (other than operating in the mindset of conservation and
> lack of significant address space available) is the ability for a human
> user to quickly remember addresses and conveniently manage them. Should
> one just keep a list of MAC addresses and rely on stateless
> autoconfiguration for servers other than the network edge router? I
> suppose that would be one way of ensuring that the addresses for systems
> and the services running on them are well-known in the event of a
> complete failure of DNS...
>
> --- Mike
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/
The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com
More information about the Ale
mailing list